In this blog, I'll delve into how you can troubleshoot errors in SAP IAS related to SSO and S/4 HANA private cloud. As you may know, SAP IAS is a highly competitive product when it comes to integrating SAP SaaS and PaaS solutions with S/4 HANA. Its main focus is on integration, security, compliance, simplicity, and scalability, making it an ideal choice for businesses looking to streamline their operations and ensure data security.
However, even with a reliable product like SAP IAS, errors can still occur, causing frustration and inconvenience for customers. In this blog, I will explain how we can track an error in IAS and strive to resolve it, using a real example from an issue we recently faced. Specifically, I will explore an escalation call with a customer and SI to resolve an error the customer was receiving when trying to log in to their S/4 HANA external Fiori link.
The customer claimed the SSO was configured via IAS and was working before. Recently when their users clicked on the Fiori link (
https://fiori-test.contoso.com), after using their email to authenticate (@test.example.com) the SSO is not working anymore.
I will show you how to troubleshoot this error, step by step, to help you understand the process and resolve similar issues that may arise in future.
Let’s first explain the high-level architecture of our scenario.
As you see in diagram below, S/4 HANA supported by SAP ECS team in Azure ( hyperscaler) and IAS tenant is the SAP "Identity Authentication Service" was integrated with the customer multiple IdPs .IAS enables this customer to authenticate with their Azure or Google IdPs. The existing integration helps the customer to log on in their Fiori launchpad link (S/4 HANA) via SAML2 protocol without re-entering the user password in S/4 HANA level after the respective IdP authenticated the user.
In other words, users would click on Fiori link then only prompted one time to log on with their corporate email to Google or Azure and after authenticated through, they would access to S/4 Fiori or any tiles in their S/4 Fiori dashboard seamlessly:
SSO integration with IAS and IdPs
If you follow
numbers in diagram above, you can see when the user from business group A that originated from Azure (IdP), clicks on the Fiori link it would be directed to IAS and then redirected to Azure IdP ,after the user Authenticates successfully it would have access to SAP Fiori dashboard and can access to S/4 QA tile or any other tiles for SAP SaaS are enabled in their dashboard similar to below:
Fiori dashboard tiles
Here is a simple Architecture Diagram for this solution:
A simple Architecture Diagram for our scenario
Basically, all SAML2s for SaaS applications and S/4 HANA were configured in Applications section of this customer IAS tenant in below section:
https://***.accounts.ondemand.com/admin/#/applications
Applications & Resources > Applications:
All IdPs for different departments with the respective domain configured in IAS Identity Providers section:
https://***.accounts.ondemand.com/admin/#/idPProxies
Identity Providers > Corporate Identity Providers:
IAS Corporate Identity Provider/
There are three areas probably we need to check during our troubleshooting to find the main root cause of this issue:
Identity Provider: This is the IAS Identity Provider for Google test domain (@test.examle.com) in our scenario
Application: This is the application in IAS representing the S/4 HANA (QA1 system) or the customer test system the Fiori link pointing to
S/4 HANA QA system: Check the SAML2 configuration in S/4 HANA (ABAP) QA system including a review of the certificate expiration date
The best way to tackle this issue is ,first to download the error logs from IAS and from S/4 system (if there is any error) and then upload them to
SAP Support Log Assistant self-service Tool to analyze as below:
Support Log Assistant 2.0 - Self Service Tool
Please for further detail about
Support Log Assistant, check SAP
Note 2990062 or the video link below:
Support Log Assistant - Self Service Tool Overview [Video]
The
Support Log Assistant is a great tool that can help to find the best resolution for your errors and you can upload multiple error log files in to this tool simultaneously. It is much better than searching on the internet or even asking ChatGPT!
To export error logs from IAS:
Log in to SAP IAS and go to Monitoring & Reporting > Troubleshooting Logs and click on "Download"
IAS error logs
To export error logs from NetWeaver ABAP system please follow links:
Troubleshooting SAML 2.0 error trace
1332726 - Troubleshooting Wizard
After I uploaded the logs to
Support Log Assistant, I was guided to few Notes through this analysis and the main note specifically was relevant to our specific issue was Note
2698094.
Below you can see the result of Support Log Assistant after analyzed the logs:
Support Log Assistant Analyze
As you see, there was a reference to SAP note (
2698094) which was more relevant to one of main errors we were facing in IAS:
"Identity Provider could not process the authentication request received due to client error. The digital signature of the received SAML2 message is invalid. Caused by: Unable to validate signature Caused by: Signature length not correct"
Basically, to be in safe side after reviewing the Note, I requested to get a fresh Google test domain certificate (XML) from the Google team to reapply the certificate by importing it in existing IAS google test IdP. After that we should upload the certificate response from S/4 HANA to S/4 QA application in IAS.
In order to do so, we first had to get the existing IAS tenant SAML2 certificate (export) to apply in S/4 then regenerate a new certificate response from S/4 HANA QA ABAP system.
The final step would be to upload this new S/4 HANA QA certificate response that reflects IAS tenant latest SAML to the QA application in IAS which was causing issue for the SSO.
By doing steps mentioned above we were able to renew the certificate for all layers involved in this solution to make sure SAMl2 can be established properly again.
Here is steps I followed to resolve this issue:
Step 1-Renew Google Test (IdP) in IAS:
Log on to the customer's IAS tenant and go to Identity Providers > Corporate Identity Providers:
Corporate Identity provider for Google-Test domain
Then navigate to “SAML 2.0 Configuration”, upload the metadata xml file we received from the google team for
@test.exampple.com domain by clicking on “Browse” and point to .XML we received from the Google team:
IdP SAML2.0 Configuration
Google IdP configuration detail
We make sure “Forward All SSO Request to Corporate IdP” is on:
Forward All SSO to Corporate IdP ON
And in “Identity Federation” section use identity Authentication user store:
Identity Federation on
Step 2-Export IAS tenant certificate:
To export metadata from the IAS tenant. We can navigate to IAS Tenant Settings > SAML 2.0 Configuration:
IAS SAML2.0 Configuration
Click on “Download Metadata File” to get that in XML format:
Download Metadata File
This export file can be shared with IdP providers like Azure and Google and also will be used to get the final certificate response from S/4 HANA QA system.
Step 3-Upload IAS SAML XML in S/4 HANA QA system via SAML2 tcode:
Log on to QA1 system in S/4 HANA and run tcode SAML2 then navigate to “Trusted Provider” tab and upload two certificates from IAS and IdP:
Upload SAML2.0 Certification to S/4 system
Generate the response certificate from S/4 HANA:
In QA1 system in S/4 HANA run tcode SAML2 then go to “Local Provider” tab and export metadata:
Download the response certificate from S/4 system
Make sure , check mark all three options before click on
“Download Metadata” then save the file as QA1.xml which will be used to upload in the QA1 in IAS applications section.
Step 4-Upload the S/4 HANA SAML response to the QA system in IAS Application:
Click on to the respective App in IAS by going to “Applications” section and click on QA1-100:
Upload the certificate response from S/4 to its respective Application in IAS
Click on “SAML2.0 Configuration” then upload the XML meta data (QA1.xml) from QA1 system (Step 3) by clicking on "Browse". The rest of detail will be populated after the upload is done and there is no need to fill out any entry except reenter your Fiori link: as Default URL
Upload XML metadata in Application system in IAS
S/4 Application signing detail
Attention: always check “Conditional Authentication” section of your Application and click on “Add Rule” to have your identity provider (reflects the email domain for the user log on) if it is not already there:
Conditional Authentication entry for the IdP domain
Note: If any SaaS application facing a similar issue, we just need to renew their certificate in IAS in a similar fashion .
I hope after reading this blog you will be able to troubleshoot errors in SAP IAS and understand how you can enabled SAML2 for corporates IdP for SSO.
Conclusion
- When you facing errors in IAS you can upload error logs in Support Log Assistant to analyze first
- Depends on your error you may need to troubleshoot IdP, Applications or S/4 HANA system
- After reviewing the related note you most likely get an idea which layer you need to focus on
- To resolve the issue you need to have hands on in security aspect of IAS, SaaS, PaaS, and S/4
- Please consider this as a team effort and make sure have all the required teams involved
- Before doing your due diligent, do not create a ticket (incident) for SAP Support since it is required multiple teams to be involved and it may not be resolved in one easy call
You can always follow the SAP Business Technology Platform post and answer questions:
https://blogs.sap.com/tags/8077228b-f0b1-4176-ad1b-61a78d61a847/
To follow the the SAP BTP Security, post and answer questions:
https://blogs.sap.com/tags/842ea649-eeef-464c-b80c-a64b03e40158/
References:
Note
2942816 - How to export and self-analyze Troubleshooting logs from Identity Authentication
Note
3058189 - The digital signature of the received SAML2 message is invalid. Caused by: Certificate is expired
Note
2698094 - Given url does not contain SAML2 authentication request for validation
Note
2645425 - The digital signature of the received SAML2 message is invalid
Exporting the SAML Identity Provider Metadata:
https://help.sap.com/docs/CIAS_SFC/da4de2635ac348d9aebf4ace57826092/9d33762b9a5e4f92ab01c77a2d8165a0...
Configure SAML 2.0 Service Provider:
https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/51f1f7550dc24aa99...
Tenant SAML 2.0 Configuration:
https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/e81a19b0067f46469...
Share with others and Connect with us!
Please leave your comment if you have anything to add!
If you would like to ask questions, please use the
community Q&A.
Give us a like and share on social media if you feel it was useful
You can follow me in People SAP :
amin_omidy
Thanks!